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Many simulation based Bounded Model Checking approaches to System Level Formal Verifica¬ 
tion (SLFV) have been devised. Typically such approaches exploit the capability of simulators to 
save computation time by saving and restoring the state of the system under simulation. However, 
even though such approaches aim to (bounded) formal verification, as a matter of fact, the simulator 
behaviour is not formally modelled and the proof of correctness of the proposed approaches basically 
relies on the intuitive notion of simulator behaviour. This gap makes it hard to check if the optimisa¬ 
tions introduced to speed up the simulation do not actually omit checking relevant behaviours of the 
system under verification. 

The aim of this paper is to fill the above gap by presenting a formal semantics for simulators. 


1 Introduction 

System Level Verification (SLV) of Cyber-physical Systems has the goal of verifying that the whole (i.e., 
software -i- hardware) system meets the given specifications. Hardware In the Loop Simulation (HILS) 
is currently the main workhorse for system level verification and is supported by Model Based Design 
tools such as Simulink, (http : / /www. mathworks . com) VisSim, (http : / /www. vissim. com) 
and Modelica (https ://www. modelica . org/ ). In HILS the actual software reads [sends] values 
from [to] mathematical models {simulation) of the physical systems (e.g. engines, analog circuits, etc.) 
it will be interacting with. 

Our System Under Verification (SUV) state can take discrete values (e.g., from the software state) 
as well as continuous values (e.g., from the physical system state). Thus our SUV can be conveniently 
modelled as a Hybrid System (e.g., see [2l and citations thereof) whose inputs belong to a finite set of 
uncontrollable events {disturbances) modelling failures in sensors or actuators, variations in the system 
parameters, etc. 

We focus on deterministic systems (the typical case for control systems), and model nondeterministic 
behaviours (such as faults) with disturbances. Accordingly, in our framework, a simulation scenario is 
just a finite sequence of disturbances. 

A system is expected to withstand all disturbance sequences that may arise in its operational scenar¬ 
ios. Correctness of a system is thus defined with respect to such admissible disturbance sequences and 
the goal of HILS is exactly that of showing that indeed the considered SUV can withstand all admissible 
disturbance sequences. The set of admissible disturbance sequences typically satisfies constraints like 
the following: 1) the number of failures occurring within a certain period of time is less than a given 
threshold; 2) the time interval between two consecutive failures is greater than a given threshold; 3) a 
failure is repaired within a certain time, etc. 

We focus on HILS based Bounded SLFV of safety properties. That is, given a time horizon T and 
a time step T (time quantum between disturbances) our HILS campaign returns PASS if there is no 
admissible disturbance sequence of length T and time step T that violates the property under verification 
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and FAIL, along with a counterexample, otherwise. In other words, Bounded SLFV is an exhaustive 
(with respect to the set of admissible disturbance sequences) HILS campaign. In such a framework our 
exhaustive HILS campaign works as a black box bounded model checker where the SUV behaviour is 
defined by a simulator. 

1.1 Motivations 

In our context the number of admissible disturbance sequences is finite since the number of disturbances 
is finite and the time horizon as well as the time quantum between disturbances are both bounded. Never¬ 
theless the number of admissible disturbance sequences can be quite large. As a result, depending on the 
system considered and on the degree of assurance sought a HILS campaign may easily require months 
of simulation activity. 

To decrease such a simulation time many HILS based Bounded Model Checking approaches to SLFV 
have been devised. Typically such approaches save simulation time by avoiding simulating more than 
once the same sequence of disturbances. This, in turn, is attained by exploiting the capability of simula¬ 
tors to save and restore a simulation state. 

However, even though such approaches aim to (bounded) formal verification, as a matter of fact the 
simulator behaviour is never formally modelled and the proof of correctness of the proposed approaches 
basically relies on the intuitive notion of simulator behaviour. This gap makes it hard to check if the 
optimisations introduced to speed up the simulation do not actually omit checking of relevant behaviours 
of the system under verification. 

The aim of this paper is to fill the above gap by presenting a formal semantics for simulators and by 
proving soundness and completeness properties for it. 

1.2 Main Contributions 

Our main contributions can be summarised as follows. 

We give a formal notion of simulator, of simulation campaign, and provide a formal operational 
semantics for simulators. 

We show soundness of our simulator semantics by showing that any simulation campaign defines a 
set of (in silico) experiments that can be carried out on our SUV. 

We show completeness of our simulator semantics by showing that any set of (in silico) experiments 
to be carried out on our SUV can be defined with a simulation campaign. 

1.3 Related Work 

SLFV of cyber-physical systems via HILS based bounded model checking has been studied in many 
contexts. Here are a few examples. Formal verification of Simulink models has been investigated in ll22l 
|T8][251 focusing on discrete time models (e.g., Stateflow or Simulink restricted to discrete time operators) 
with small domain variables. Formal verification of fully general Simulink models has been investigated 
in uniiiiiiiisi- Formal verification of satellite operational procedures using ESA SIMSAT simulator 
has been investigated in fTl. 

Simulation based approaches to statistical model checking have been widely investigated. Here are 
just a few examples: Simulink models for cyber-physical systems have been studied in |[28l . mixed- 
analog circuits have been analyzed in [5), smart grid control policies have been considered in |[T6l . and 
biological models have been studied in iT^l^fTTll . 
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Figure 1: (a) a discrete event sequence u G (b) our SUV; (c) the SUV output Y{u,t) 


Of course Model Based Testing (e.g., see Q) has widely considered automatic generation of test 
cases from models. In our HILS setting, automatic generation of simulation scenarios (for Simulink) has 
been investigated, for example, in ll8llT0ll3ll2^. 

Finally, synergies between simulation and formal methods have been widely investigated also in 
digital hardware verification. Examples are in ll2^ |9l |20l |6l and citations thereof. 

All simulation based verification approaches considered in the literature heavily rely on carefully 
driving simulators in order to effectively carry out the planned verification activity. However, to the best 
of our knowledge, none of them addresses the issue of providing a simulator semantics accounting for the 
simulator commands enabling saving and restoring of simulation states (the main simulation commands 
used to save simulation time). 

1.4 Outline of the paper 

Section 1^ describes how we model disturbances as uncontrollable inputs to our (cyber-physical) SUV 
that, in turn, is modelled as a discrete event system. Section [^formalises the notion of simulator, simu¬ 
lation campaign and simulator semantics. Sectionj^and Section [^provide, respectively, soundness and 
completeness theorems for our simulator semantics. 


2 Dynamical Systems 

In this section we give the formal background on which our approach rests. To this end, we model dis¬ 
turbances (Definition [T]) and define our system (Definition |^, by rephrasing the definition of dynamical 
system (see, e.g., 11211 ). Then, we define the simulation scenario, that is the sequence of disturbances 
occurring when the system starts from a given state, and the set of transitions associated to it. 

Throughout the paper, we denote N the set of natural numbers, N+ the set of positive natural numbers, 
M+, M-° and M the sets of positive, non-negative and all real numbers, respectively. Throughout the 
paper, we use ]R-° to represent time and M+ to represent non-zero time durations. 

A discrete event sequence (Definition and Figure [TJ a)), is a function associating to each (contin¬ 
uous) time instant a disturbance event (such as a fault, a variation in a system parameter, etc). We are 
considering a bounded time horizon, accordingly we require that the number of disturbances is finite, 
since no system can withstand an infinite number of disturbances within a finite time. We represent with 
the real number 0 the event carrying no disturbance and with nonzero reals actual disturbances. 

Definition 1 (Discrete event sequence) Let ^ be a finite subset o/M such that 0 G A discrete event 
sequence over ^ is a function u : M-° —)• such that the set {t G M-** | u{t) 0} has finite cardinality. 
We denote with the set of discrete event sequences over fT. We call time horizon of a discrete 

event sequence u the value max{t G M-** | u(t) 0}. 
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An event list provides an explicit representation for a discrete event sequence by listing pairs (T,e), 
where e > 0 is an event and T is the time elapsed since the last (nonzero) event. 

Example 1 (Discrete event sequence and event list) As a first example, let us consider the function u 
defined as follows: 

, ^ I 1 for t = kz, where k = 1,2,3 and T = 1 
u{t) = < 

I 0 otherwise 

The corresponding event list is: [(t, 1), (t, 1), (t, 1)], and the time horizon of u is 3t. 

Remark 1 Let 5{t), with t be the function such that ift = 0 then d{t) = 1, else d{t) = 0, that is 
5{t) represents a discrete impulse. Any discrete event sequence u{t) with horizon h can be written in a 
unique way as finite sum of discrete impulses, that is: 

u{t) = podf) + Y^Pi5{t Zk) 

1=1 k=0 


where po G , pi G {fT — {0}), and Zk G M”*'. 

Example 2 (Impulses) Let us consider the discrete event sequence u represented in Figure^a). It can 
be defined using impulses as follows: 


u{t) = 25{t - 3) + 35{t - 5) + 5(t - 10) +25{t - 13) 
The event list associated to u is: [(3t,2), (2t,3), (5t, 1), (3t,2)]. 


DefinitionJ^ formalizes how we model our SUV, whereas Definition!^ and |3]define, respectively, the 
subset of obtained as a restriction to a real interval, and the concatenation of two such subsets. 


Definition 2 Let be the set of discrete event sequences over the set . Given a discrete event 

sequence u G and two positive real numbers t\ < t 2 , we denote with u \ restriction of u to 

the interval [t\d 2 ), the function u [hfi) —^ ^uch that u (0 = ti{t) for ail t G [ti,t 2 )- 

'We denote the restriction 0 /^®“° to the domain [ti,t 2 )- 

Definition 3 Assume that t\f 2 ,t 3 & 1^“° such that t\ < t 2 < F- If CO € g '^[^ 2 , 13 )^ their 

concatenation, denoted as coco', is the function cb G defined as: 


G){t) 


(o{t) ifte[t\d2) 
(0'{t) ifte[t2d3) 


In our setting the system to be verified can be modelled as a continuous time Input-State-Output 
deterministic dynamical system (see e.g. 11211 ) whose input functions are discrete event sequences, whose 
state can undertake continuous as well as discrete changes, and whose output ranges on any combination 
of discrete and continuous values. 


Definition 4 (Discrete Event System) A Discrete Event System, or simply DES, Jff is a tuple 
,'3Cwhere: 

• the state space of Jff, is a non-empty set whose elements denote states; 

• , the input value space of M’, is a finite subset o/M such that 0 G ; 
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• the output value space of Jff, is a non-empty set of outputs; 

• (p : M+ X 3C X —)■ JC is the transition map of M’. Function (p must satisfy the following 

properties: 

- semigroup; for each t\f2,h £ 1^“° such that t\ <t 2 < 1$, CO G co' G x € ^ 

we have that COCo' G is such that cpfi, —t\,x,(0(o') = tpf^, —t 2 ,(p{t 2 — t\.,x,(o),(o'); 

- consistency: for each u^f/,x^ , we have (p(0,x,u) =x; 

• y/ : M-** X S' —>■ is the observation function of SF. 

Note that any simulator driven by its script language can be seen as a discrete event system. This is 
why we focus on DES. 

Our approach can model both the case in which the input is controllable, for example by control 
software (Example [^, and the case in which the input is uncontrollable, for example disturbances such 
as faults (Examples]^ and [^. 

Example 3 (Inverted Pendulum) A simple system is given by the Inverted Pendulum with Stationary 
Pivot Point, see e.g. mmi. The system is modeled by taking the angle G and the angular velocity Q as 
state variables. The input of the system is the torquing force u, that can influence the velocity in both 
directions. Moreover, the behaviour of the system depends on the pendulum mass m, the length of the 
pendulum I and the gravitational acceleration g. Given such parameters, the motion of the system is 
described by the differential equation 0 = fsinO + 

Let { —1,0,1}, T = 10^^. Our discrete event system is the tuple ,(p, y/)> where: 

• 3F = andfF = 

• tp is solution to the system of differential equations: 

X'l = X2 

X2 = fsinxi + Jpu 

where xi is the angle G and X 2 is the angular velocity G; 

• \j/{t) is given by [x\{t),X 2 {t)\. 

In Figure^the Simulink model of the inverted pendulum is shown, where we assume the pendulum 
mass m = I and the length of the pendulum I = \. Also we assume the function u is given to the model 
as a sequence of values in the { —1,0,1}. 

Example 4 (Inverted pendulum on cart) Another example is given by the inverted pendulum on cart. 
For this system, the control input is the force F that moves the cart horizontally and the outputs are the 
angular position of the pendulum G and the horizontal position of the cart x. The physical constraint 
between the cart and pendulum gives that both the cart and the pendulum have one degree of freedom 
each (x and G, respectively). The controlled system (the plant) consists of the cart and the pendulum, 
whereas the controller consists of the control software computing F from the plant outputs (x and G). The 
dynamics of the system is described in the example available in the Simulink distribution. The Simulink 
model of the pendulum on cart, where disturbances are added, is shown in Figure^ 

The system state is a pair (z,w) where z is the state of the control software and w is the plant state, 
namely w = [wi,>V 2 ,W 3 ,>V 4 ], where: wi = cart position, W2 =cart velocity, W 3 = pendulum angle, W 4 = 
pendulum angular velocity. 

We model irregularities in the cart rail with a disturbance on the cart weight with respect to its 
nominal value 0.455 kg. Let fA = {0,1,2} be our set of disturbances (see Definition^ modelling the 
fact that the cart weight is [d + 0.455), with d G 
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Figure 2: Simulink model of the inverted pendulum. 


We will use the Inverted pendulum on cart (Example Q as running example throughout the paper. 

Example 5 (Fuel Control System) The Fuel Control System (FCS) model in the Simulink distribution 
(see Figure^ has been studied in h27\l using statistical model checking techniques, whereas the formal 
verification has been discussed in snwMi. The model is equipped with four sensors: throttle angle, 
speed, Oxygen in Exhaust Gas (EGO) and Manifold Absolute Pressure (MAP). In this case, the tuple 
(<^, ^, (jO, t//) representing the discrete event system is: 

• ^ is the set of plant (i.e., the engine) states along with the control software states; 

• 'St' is the set of plant outputs monitored by the control software; 

• is the set of disturbance sequences that can be obtained assuming that only sensors EGO and 
MAP can fail, giving rise to disturbances 1 and 2, respectively; the minimum time between faults 
is one second and all faults are transient, that is disturbance 1 models a fault on sensor EGO, 
followed by a repair within one second, and disturbance 2 models a fault on sensor MAP, followed 
by a repair within one second too; 

• tp computes the dynamics of the system states; 

• \j/{t) computes the system output from the present system state. 

Our discrete event system as defined in Definition models a hybrid system describing a cyber 
physical system, as shown in Examples and Eor this reason, we denote our system with 

In the following we define fhe nofion of simulafion scenario, fhaf is fhe sequence of disfurbances 
received by our sysfem sfarfing from a given inifial sfafe, and we give an example. 

Definition 5 (Simulation scenario) A simulation scenario for TFC is a pair (x, u) where x ^ 1%' and 
u G 

Example 6 (Simulation scenario) Let be the Inverted pendulum on cart system described in Ex¬ 
ample^ Let u(t) be the discrete event sequence defined as: u(t) = 5{t — 0.04) + 5{t — 0.08) and let 
the initial state be xq = (zoj [0,0,0,0]), where zo i^ the control software initial state. Then, a simulation 
scenario for is (xq, u). 

Definitions!^ and [^ give the definition of sequence of transitions and set of transitions explored by a 
SUV under a given simulation scenario, respectively. 
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Inverted pendulum on cart with Animation 



Oeciete State Estimator 


(a) Inverted pendulum on cart of the Simulink distribution 



(b) Cart model with disturbances 


Figure 3: Simulink model of the pendulum on cart with disturbances. 

Definition 6 (Trace of a simulation scenario) Let be a DBS and letx € dC be a state and u G 
u{t) = poS{t) +^ 4=1 PiS{t a discrete event sequence giving a simulation scenario {x,u) 

for Jif. The trace of the simulation scenario {x,u), denoted Tr{x,u), is the finite sequence of tran¬ 
sitions Tr{x,u) = [{xQ,po,0,xi),{xi,pi,Zi,X2), ■ ■ ■ ,{xh^i,Ph-i,'^h-\,^h)] ^uch that xq =x and Xi+\ = 

q){Ti,Xi,pid{t)). 

Example 7 (Trace of a simulation scenario) Let be the Inverted pendulum on cart system de¬ 
scribed in Example^and let {xo,u) be the simulation scenario of Example^ 

The trace of {xo,u) is Tr{xo,u) = [(;cO)0)0)-^i))1)0-04,X 2 ),(.^ 2 ,1,0.04,.^ 3 )], where xq = 
(z, [0,0,0,0]) and the Xi values, i = 1,2,3 are obtained by running the simulation with the 
Simulink model shown in Example and are: x\ = (zi, [—0.017,—0.881,0.057,2.914]), X 2 = 
(Z2, [-0.049,-0.694,0.167,2.451]) andx^ = (z 3 , [-0.072,-0,431,0.253,1.878]). 

Definition 7 (Set of transitions of a simulation scenario) The set of transitions associated to a simu¬ 
lation scenario [x, u) is the set: 

^(x,u) = {{z,p,'C,z)\{z,p,'C,z) G Tr{x,u)] 
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Fault-Tolerant Fuel Control System 



Figure 4: The Simulink Fuel Control System. 


Example 8 (Set of transitions of a simulation scenario) Let us consider system simulation sce¬ 
nario {xo,u), and trace Tr{xo,u) as in Example^ The set of transitions associated to {xo,u) is simply 
the set ^(x,u) = (.ri, 1,0.04,X2), (x 2 , l,0.04,.r3)}, where xi, X 2 and xj, assume the values 

specified in Example^ 


3 Simulators and Simulation Campaigns 

In this Section we formalise the notion of discrete event system simulator (Definitionj^and Definition|^, 
of simulation campaign (Definition[TO| and of set of transitions of a simulation campaign (Definition[T2]). 

In many cases it is necessary to consider a huge number of simulation scenarios for having an ex¬ 
haustive HITS. The overall number of simulation steps can be prohibitively large if each scenario is 
simulated from the initial state of the (SUV) simulator. The definition of set of transitions of a simula¬ 
tion campaign (Definition [T^ helps to individuate states necessary to complete the simulation campaign 
avoiding to repeat the same sequence of commands several times. 

Definition 8 (Discrete Event System Simulator) A Discrete Event System (DES) simulator 5F is a tu¬ 
ple {J^,W), where M’ = (^,^,^^,(p,t/r) is a DES and W is a finite set whose elements are called 
simulator states. Each w €W is a pair {x,M) where x ^ ^ is a state of and M is a finite subset of 
Sfi that models the content of the simulator memory. 

Unless otherwise stated, in the following 5^ is, a simulator for the DES Af as in Definition 
Note that, at the beginning the simulator memory contains the initial state xq of 
The semantics of simulator commands we use to execute our simulation scenarios, and the transition 
function ^ are given in Definition]^ 

Definition 9 (Simulator commands and transition function) Let be a simulator. 

• The commands for SA are: load{x), store, free(x), run(p,t), where x^ Sf is a state ofJ^, t G 
is a time duration, and p is an event (x,t,p are command arguments). 
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• The transition function ^ of SC, defines how the internal state of the simulator SC changes upon 
execution of a command. Namely: ^(x,M,cmd(args)) = (x',M') when the simulator SC moves 
from internal state {x,M) to state (x',M') upon processing command cmd with arguments args. 
For each x G Iff, function ^ is defined as follows: 

- fix' €M then ^{x,M,load{x')) = {x',M) 

- fix' €M then ^{x,M,free{x')) = {x,M\{x'}) 

- ^ {x, M, store) = {x,M six}) 

- ^{x,M,run{p,T)) = {x',M), where x' = (p{z,x,u), where u{t) = p5{l). 

Given a sequence of simulation scenarios, we can build a sequence of commands, simulation cam¬ 
paign, driving the simulator through such scenarios. We define the simulator output sequence as the 
sequence of the SUV outputs associated to the simulator states traversed by a simulation campaign. 
Conversely, given a simulation campaign, we can compute the sequence of scenarios simulated by it. 
These concepts are formalised in Definition [T0| 

Definition 10 (Simulation campaign and sequence of simulator states) Let S^ be a simulator and let 
^ be its transition function. 

• A simulation campaign for SC is a triple E = {x,M,x) . where x G fff, M d 3F and % 

is a sequence (possibly empty or infinite) of commands along with their arguments, X — 
cmdo(argSQ),cmdi(argSi), _ A simulation campaign consisting of a finite sequence of com¬ 

mands is a finite simulation campaign or a simulation campaign of finite length; the length of 
X = cmdoiargSg),... ,cmdc-i(args^_i) is c and it is denoted by \x\ = c. 

• The sequence of simulator states of S^ with respect to a simulation campaign S = (xq,Mq,x) 
the sequence {xq,Mo),(x\,M\),..., whereforall j, ^ (xj,Mj,cmdj (args j)) = (xj^i,Mj^i). 

We denote with xi^o^^os) element of such a sequence, that is xi^Qi^os) = 

other words xixo,MQ,j) is the simulator state after the execution of the j-th command. 

• The set of simulator states with respect to a simulation campaign x is denoted (jco,Mo), that is 
X(xo,MQ) = {x{xo,MQ,j)\j = 0,l,...,\x\-l}. 

Example 9 (Simulation campaign) Let Jf" be the Inverted pendulum on cart considered in Example^ 
and let (xq, u) be the simulation scenario considered in Example where u(t) = 5(l — 0.04) + 5(t — 
0.08). 

The simulation campaign S obtained by using this simulation scenario is the triple S = (.vq, {xo},x)’ 
where X is the sequence of commands X = (run(0,0.04),run(l,0.04),run(l,0.04)). 

The sequence of simulator states with respect to S is: 


run(0,0.04) nm(I,0.04) nm(0,0.04) 

(■^o,|JCo})-> {xi,{xo}) -> (x2,|xo})-^ (x3,|;co}). 


State values are obtained by running the simulation. 

An example of a more complex simulation campaign,Zi, can be obtained by considering the sequence 
of simulation scenarios ({xq,u), (x 3 ,mi), (x^,U2),(xQ,ufj), where: 
u{t) = d{t -0.04) + 5{t -O.OS) 
ui(t) = 5{t- 0.04) + 5(f - 0.08) + 5{t- 0.12) 

U2(t) = 5{t — 0.12) 

ufit) = 5(t-0.04)+25{t-0.\2) + 5(1-0.16) +25(t-0.24). 
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Figure 5: A graphical representation of 
simulation campaign Ei (Example |^. 


Figure 6 : A graphical representation of 
the normal simulation campaign E 2 (Ex- 


ample[T0|). 


A graphical representation of simulation campaign E 1 is shown in Figure where we see that the 
discrete event sequences u{t) and u^{t) are applied when having state xq, and sequences u\ and U 2 are 
applied having state X 3 . 

The simulation campaign Ei obtained by using the sequence of simulation scenarios above is the 
triple El = (xq, {xo},Xi), where Xi A given by the following command sequence: 

Xi = run(0,0.04), run( 1,0.04), run( 1,0.04), store, 

run(l,0.04), run(l,0.04), run(l,0.04), load(x 3 ), 
run(0,0.04), run(0,0.04), run( 1,0.04), free{xT,), 
load(xo), run(l,0.04), run(0,0.04), run(2,0.04), 
run( 1,0.04), run(0,0.04), run(2,0.04) 


The sequence of simulator states with respect to Ei is: 


, r T \ ran(0,0.04) 

(xo,|xo}) -^ 


iun( 1,0.04) 
(xi,|xo}) - 


ruji(l,0.04) 

{X2,{Xo}) -^ 


/ r -1 \ Store 
(X3,|xo}) -> 


, , , . run{ 1,0.04) , , , ^ run( 1,0.04) , , , , ran( 1,0.04) , , , , loadix^) 

(X3,|X0,X3}) -^-> (X4,|X0,X3}) -> (X5,|xo,X3}) -> (X6,|xo,X3}) -^ 


, , , , nin(0.0.04) 

(X3,|xo,X3}) -^ 


, , , , run(0,0.04) 

(X7,{xo,X3}) - 


run)1,0.04) 

(X8,{xo,X3}) -^ 


free(x3) 

(X9,|Xo,X3}) -^ 


, r T\ toad(xo) . r \ ™n{l)0.04) , r ™n(0,0.04) , r niii(2,0.04) , r \ iun(l,0.04) 

(x9,|xo})-> (xo,|xo})-> (2Cio,|2Co})-> (2Cii,|xo})-> {xnAxo}) -^ 

ruii(0,0.04) ruji(2,0.04) 

(Xi3,|xo}) -^ (2C14,{2 Co}) -^ (2C15,|2Co}) 


Definition 11 gives the notion of normal simulation campaign, that is a simulation campaign for 
which every simulation scenario starts from an initial state. 


Definition 11 (Normal Simulation Campaign) A simulation campaign is in normal/orm if it consists 
only of commands load and run. 


Example 10 (Normal Simulation Campaign) An example of simulation campaign in normal form is 
^2 = (xq, {xo},X 2 ), where Xi A given by the following command sequence: 

X 2 = run(0,0.04), run(l,0.04), run(l,0.04), run(l,0.04), run(l,0.04), run(l,0.04), 

load(xo), run(0,0.04), run(l,0.04), run(l,0.04), run(0,0.04), run(0,0.04), run(l,0.04), 
load(xo), run(l,0.04), run(0,0.04), run(2,0.04), run(l,0.04), run(0,0.04), run(2,0.04) 

A graphical representation 0 /E 2 A shown in Figure^ 
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Note that, since a normal simulation campaign has no store commands, a command load can only 
load an initial state. 

Definition [T^ resting on Definition [T^ defines the set of transitions of a simulation campaign. Defi¬ 
nition [T^ gives the notion of equivalent simulation campaigns. 

Definition 12 (Set of transitions of a Simulation Campaign) We denote with the set of transi¬ 
tions of ^ explored by E, that is = {(x,p,T,v')|3 M,M' [{x,M) is a simulator state of ^ wrt S A 
^{x,M,run{p,r)) = {x',M')]}. 

Definition 13 (Equivalent simulation campaigns) We say that the simulation campaign E is equivalent 
to E' and we write E ~ E' /f 

Example 11 (Equivalent simulation campaigns) The simulation campaign Ei in Example^and the 
normal simulation campaign Ej in Example\10\are equivalent. 

In fact the set of transitions explored by Ej and E 2 is: 

=^1 = =^2 = { (■^o,0,0.04,xi), (xi,l,0.04,X2), (x 2 , 1,0.04,X3), (v3, 1,0.04,X4), (v 4 ,1,0.04,.V 5 ), 
(x5,1,0.04,X6), (X 3 ,0,0.04,.Vy), (xy,0,0.04,Xs), (x8,1,0.04,X9), (xo,1,0.04,xio), (xio,0,0.04,xii), 
(xii,2,0.04,xi2), (xi2,l,0.04,xi3), (xi3,0,0.04,xi4), (xi4,2,0.04,xi5)} 

This can also be easily seen looking at the set of edges (transitions) in Eigures^and^ 

Lemma [T] formalizes the fact that for each simulation campaign, we can determine an equivalent 
simulation campaign in which each simulation scenario starts from an initial state. 

Lemma 1 Given a simulation campaign E for a simulator 5T, there exists a simulation campaign E' 
such that: 

• E' is in normal form 

• S'~E 

We give the idea of the proof by using the following example. 

Example 12 (Lemmaj^ Consider the simulation campaign Ei in Example^ Ei is not in normalfonn. 
However, by modifying it so that all simulation scenarios (paths on the tree of Eigure^ start from the 
initial state, we get the normal simulation campaign E 2 illustrated in Example\T0\ 

Eurther, it follows from Example\10\that Ei ~ E 2 . 


4 Soundness 

In this section we show the soundness of our simulator semantics. That is, we show that any simulation 
campaign stems from a set of simulation scenarios. This guarantees that any simulation campaign has 
indeed a physical (computational) meaning. 

Theorem 1 (Soundness) Given a simulation campaign E for SC there exists a set = 
{(xi,ui), (x2,M2), • • ■, of simulation scenarios such that 

= /= 1 ,...,^}. 

As we did for Lemma [T] we give the idea of the proof by using an example. 
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Example 13 (Soundness) Consider the simulation campaign Si in Example^ The set of transitions of 
Si, is shown in Example\ri\ 

Now, let us consider the set sF consisting of simulation scenarios {xo,u), (x 3 ,mi), {x^,U 2 ) and 
{xQ,ufj, defined in Example^ 

The sets of transitions for simulation scenario {xq,u) is shown in Example^ and the sets of transi¬ 
tions associated to the other three simulation scenarios are, respectively: 

= { (x3,1,0.04,;c4), (x4,1,0.04,;c5), (xs, 1,0.04, 

^2 = ^(xi,U2) = { (X3,0,0.04,Xy), (x7,0,0.04,X8), (x8,1,0.04,X9)} 

= =^xo,m 3 ) = { (jco,l,0.04,xio), (xio,0,0.04,xii), (xii,2,0.04,xi2), (xi 2 ,1,0.04,x^), 

(xi3,0,0.04,xi4), (xi4,2,0.04,xi5)} 

It is easy to see that =C{Ifj\ j = 0,...,3}. 


5 Completeness 


In this section we show the completeness of our simulator semantics. That is, we show that any set of 
simulation scenarios yields a simulation campaign. This guarantees that any set of physical experiments 
can be defined by a suitable simulation campaign. 

Theorem 2 Let = {(xi,mi), (x 2 ,M 2 ), ..., (xj;,m^)} be a set of simulation scenarios of Jlf. Then there 
exists a simulation campaign Efor SC such that 


= i = l,...,lc}. 

Also for this theorem, we give the idea of the proof by using an example. 

Example 14 (Completeness) Let us consider the set jS consisting of simulation scenarios (xo,m), 
(x 3 ,mi), (x 3 ,M 2 ) and {xQ,uf}, defined in Example^ 

The sets of transitions associated to these simulation scenarios, So = S(^xo,u)’ ^2 = 

S'(xi,u 2 ) ^2 — ■^(xQ,uPi' shown in Example ^ Let S be the set obtained as union of the sets of 

transitions above, that is S = C{Sj\ j = 0,... ,3}] 

Now, let us consider the simulation campaign Ei in Example^and the set of transitions o/Ei, Szi, 
shown in Example^l\ 

It is easy to see that S = S^i- 


6 Conclusions 

We provided a formal notion of simulator, of simulation campaign, and a formal operational semantics 
for simulators. 

Furthermore we showed soundness and completeness of our simulator semantics by showing that any 
simulation campaign defines a set of {in silico) experiments for the SUV (soundness) and, conversely, 
that any such a set can be defined with a simulation campaign (completeness). 

This work enables formal proofs of correctness for simulation based formal verification approaches 
and provides formal tools enabling investigation of more aggressive approaches to the optimisation of 
the simulation activity entailed by HILS based SLFV. 

Acknowledgements. Work partially supported by FP7 projects SmartHG (317761) and PAEON 
(600773). 
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